fix CI build on master (#2417) #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2022 Goldman Sachs | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
name: Code Quality Check | |
on: | |
# Analysis done to check for security and quality are often taken care of by vendor tools, such as SonarCloud, CodeQL, etc. | |
# We will not run these in PR pipelins for the following reasons: | |
# 1. In terms of quality checks, these analysis are often already covered by code checks (e.g. eslint) already set to run | |
# for PRs | |
# 2. Security checks are included meaning that these checks will have to go through a huge libraries of vulnerability checks | |
# from vendor, which could take up huge amount of time to run, which is not suitable to have in PR unless absolutely necessary. | |
# However, most of the problems detected by these checks are often security warnings and some other niche problems that we might | |
# or might not necessarily have to deal with (false positive, or belongs to test-only codepath) | |
push: | |
branches: | |
- master | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
MAVEN_OPTS: "-Xmx6g" | |
# Cancel running jobs from previous pipelines of the same workflow on PR to save resource when commits are pushed quickly | |
# NOTE: we don't want this behavior on default branch | |
# See https://stackoverflow.com/a/68422069 | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/master' && format('ci-default-branch-{0}-{1}', github.sha, github.workflow) || format('ci-pr-{0}-{1}', github.ref, github.workflow) }} | |
cancel-in-progress: true | |
jobs: | |
sonar-code-check: | |
name: Sonar Code Quality Check | |
# NOTE: we cannot run this action in PR anyway because secrets are not accessible from forks | |
# See https://portal.productboard.com/sonarsource/1-sonarcloud/c/50-sonarcloud-analyzes-external-pull-request | |
# See https://community.sonarsource.com/t/github-action-ci-build-fail-with-set-the-sonar-token-env-variable/38997 | |
if: github.repository == 'finos/legend-engine' | |
# NOTE: larger runner is required to run this build | |
runs-on: ubuntu-latest-4-cores | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Cache Maven dependencies | |
uses: actions/cache@v3 | |
env: | |
cache-name: cache-mvn-deps | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-build-${{ env.cache-name }}- | |
${{ runner.os }}-build- | |
${{ runner.os }}- | |
- name: Set up JDK | |
uses: actions/setup-java@v1 | |
with: | |
java-version: 11 | |
- name: Check Java version | |
run: java -version | |
- name: Download deps and plugins | |
run: mvn de.qaware.maven:go-offline-maven-plugin:resolve-dependencies | |
- name: Check Code Quality | |
run: | | |
mvn -B -e -DskipTests=true install -P sonar |